[00:10.910 --> 00:21.270]  Hey guys! Hope you're doing great and safe. I'm thrilled to give a lecture at Aerospace Village
[00:21.270 --> 00:31.970]  this year and that's an honor for me and appreciated. I hope you will enjoy my presentation.
[00:34.210 --> 00:39.090]  In fact, today I'm not going to talk about ordinary topics
[00:39.090 --> 00:47.970]  regarding aviation, something like that. Actually, I'm going to talk about a novel topic,
[00:47.970 --> 00:54.390]  something more practical and different from anything you've heard before.
[00:54.910 --> 01:02.230]  Because we are at DEF CON, so we must talk about something possible which makes sense.
[01:02.230 --> 01:08.350]  This presentation covers radio-based and signaling vulnerabilities which impact on
[01:08.350 --> 01:16.970]  passengers, airplanes, and other avionics components. Also, I will give you a deep
[01:16.970 --> 01:23.330]  and clear perspective like a malicious passenger, a malpractice in a radio field,
[01:23.330 --> 01:29.010]  and a hacker who has an access to the mobile network.
[01:32.250 --> 01:39.010]  Hello, my friends, and welcome to my talk. I'm Ali Abdullahi, a cybersecurity engineer with
[01:39.010 --> 01:46.190]  over eight years of experience in a variety of fields. I love to share my experience and
[01:46.190 --> 01:55.070]  little knowledge with others and also love bug hunting to make our world a safer place for
[01:55.070 --> 02:03.090]  everyone. And I'm a regular speaker and trainer at famous cybersecurity and hacking conferences
[02:03.090 --> 02:12.530]  like Cocoon B-Sides, Typhoon Con, Cyber Jungle, OWASP APSEC Days, Confidence, and this year
[02:12.530 --> 02:27.420]  except Aerospace Village, DEF CON Red Team, and APSEC Village. So, please consider all avionic
[02:27.420 --> 02:36.220]  components as well as airplanes as victims while I am presenting my research. This is because
[02:36.220 --> 02:44.160]  each component, like passenger, entertainment, navigation systems, etc., are subscribers when
[02:44.160 --> 02:53.660]  using mobile communications. So, the purpose of this talk is to deep dive into this communication
[02:53.660 --> 03:00.940]  which is called Air-to-Ground or A2G. And I'm going to show you possible attack vectors
[03:00.940 --> 03:07.260]  from radio and signaling points of view which Frieden denotes.
[03:12.280 --> 03:21.580]  What is A2G system? A2G stands for Air-to-Ground system which is based on mobile or cellular
[03:21.580 --> 03:29.740]  technologies like GSM, UMTS, and LTE. Aircrafts, UAVs, etc.,
[03:32.240 --> 03:39.280]  and the main usage of this system is to bring high-speed connections when you are flying on
[03:39.280 --> 03:45.640]  the ground. However, when you are on the sea, airplane can take advantage from satellite
[03:45.640 --> 03:55.560]  communications. But there are some big differences between A2G and satellites like
[03:55.560 --> 04:02.590]  low latency, ease of use, low cost implementation, and more flexibility.
[04:07.040 --> 04:15.230]  The first and foremost usage of Air-to-Ground is to bring mobile broadband connectivity for
[04:15.230 --> 04:23.830]  passengers when flying. Other avionic components in airplane like EFB and IFE could take advantage
[04:23.830 --> 04:31.530]  from this network. Improving onboard cabin services, real-time monitoring,
[04:35.150 --> 04:41.270]  easy and flexible management, or other advantages of Air-to-Ground systems.
[04:44.980 --> 04:57.740]  So, here is the whole architecture of the system. As you can see, an airplane in this picture
[04:57.740 --> 05:04.280]  connected to the ground via direct Air-to-Ground system or using satellite communications.
[05:05.060 --> 05:16.800]  So, there are some base stations or radio towers which call BTS, Node-B in 3G or E-Node-B in 4G.
[05:18.520 --> 05:27.300]  Some of this network call radio access network or RAN. And the second part is the mobile core
[05:27.300 --> 05:33.620]  network which handles signal and communications and connected to the RAN and other networks.
[05:34.280 --> 05:45.410]  In this picture, EPC staff or wall packet core or circuit switch in LTE technology.
[05:45.970 --> 05:52.870]  Well, now I'm going to talk about possible offensive scenarios in radio access networks.
[05:53.690 --> 06:01.970]  Whenever an attacker has unauthorized access to their base station by breaking defense or
[06:01.970 --> 06:07.530]  maybe as an insider attacker can intercept the connections and manipulate it between
[06:07.530 --> 06:14.070]  airplane and the ground. So, in this case, our malefactor located on the ground.
[06:21.980 --> 06:30.400]  This one is a hot topic, in-flight fake BTS or IMSI catcher. You may hear it many many times
[06:30.400 --> 06:38.200]  about a fake BTS or fake base stations and IMSI catchers in the news. But this time,
[06:38.200 --> 06:45.400]  it's different because the vector is something else. And this is our first part of attacker chain.
[06:46.040 --> 06:54.180]  To do this, malicious passenger or malefactor jamming the current signals in the field using
[06:54.180 --> 07:03.120]  jammers and after that will run an IMSI catcher or fake BTS to perform a man-in-the-middle to
[07:03.120 --> 07:11.800]  retrieve one of the most valuable value called IMSI. In this case, an attacker will gather
[07:11.800 --> 07:18.960]  all passengers and components IMSI numbers to perform further exploitation.
[07:25.780 --> 07:34.920]  Again, another hot topic. In-flight sniffing, to perform it, we need to have an RTL-STR or
[07:34.920 --> 07:49.180]  BladeRF, HankRF, USRP or Osmocom and Motorola C115 or C118. And in this scenario, while an attacker
[07:49.180 --> 07:59.900]  uses these equipment, he or she can sniff all in-transit data. As you can see, all packets
[08:00.540 --> 08:10.140]  sent and received like voice, data and network info have captured here. You can see all LTRC
[08:11.250 --> 08:19.340]  protocols packets here and signal connection release packets captured here and all paging
[08:19.340 --> 08:31.380]  requests captured and you can see in this picture. Here is another proof of concept
[08:31.380 --> 08:45.160]  which points to an IMSI number. So, in this picture, you can see all SIM card details
[08:45.160 --> 08:58.860]  which an attacker retrieved via Osmocom BB. In other scenario, an attacker can take advantage
[08:58.860 --> 09:07.280]  from an open-source script called TeamC Sniffer to sniff all TeamC numbers on board.
[09:09.960 --> 09:18.040]  What is TeamC actually? As I told you before, because IMSI number is a unique value for each
[09:18.040 --> 09:28.120]  subscriber, it is very important to less exchange the actual IMSI number in radio networks.
[09:28.280 --> 09:35.600]  Components use TeamC which is a random number based on the actual IMSI value to reduce the
[09:35.600 --> 09:46.840]  risk of IMSI disclosure. And here you can see the attacker sniffing all TeamC number on board
[09:47.330 --> 10:01.260]  or in the field. If GSM technology works or an attacker can jam the LTE or UMTS frequencies to
[10:01.260 --> 10:10.840]  force the network to downgrade to GSM, the attacker can review the network encryption level
[10:10.840 --> 10:17.960]  to analyze the security level or maybe if there is no sufficient encryption.
[10:18.520 --> 10:36.980]  And this is a very good news for a hacker. Well, well, well, this is time to start one of
[10:43.040 --> 10:51.080]  this is time to clone passenger sim card. It's interesting. To do this malicious scenario,
[10:51.080 --> 10:57.760]  we need just to some basic info regarding the targeted sim card which gathered from
[10:58.620 --> 11:03.800]  previous states and a sim card reader or even our osmocom environment.
[11:11.080 --> 11:18.360]  Okay, dear passengers, I have all your mobile device TeamC number and we are going to
[11:18.360 --> 11:38.000]  perform denial of service. Okay, so this is our first DOS scenario. And in this case,
[11:38.000 --> 11:44.640]  we will take advantage from IMSI detach request to disrupt mobile node availability in radio
[11:44.640 --> 12:02.400]  network. So here is another way. So passengers, please don't worry because we are going to
[12:02.400 --> 12:13.550]  DOS again. In this case, the attacker will abuse paging requests and will respond to it
[12:13.550 --> 12:37.980]  instead of the real mobile node. So most of mobile network operators or MNOs and service providers
[12:37.980 --> 12:46.140]  all around the world are still using traditional and vulnerable mobile technologies like GSM
[12:46.140 --> 12:54.400]  and UMTS. So in this case, all mobile core network vulnerabilities like SS7 and SIGTRAN
[12:54.400 --> 13:00.080]  are possible because the attacker also has passenger's IMSI number.
[13:01.100 --> 13:08.960]  These attacks categorize in approximately four classes, fraud, spoofing, denial of service,
[13:08.960 --> 13:18.360]  and privacy violation. For example, sending a purge query, which is a map or mobile application
[13:18.360 --> 13:26.300]  port message to the core network will purge a subscriber information from the database or even
[13:26.300 --> 13:36.470]  DOS the passengers using update location message or cause impersonating.
[13:39.950 --> 13:48.850]  So now I'm going to talk about other attack vectors inside the core network and that is exploiting
[13:48.850 --> 13:55.810]  the onboard mobile nodes using packet data. The picture illustrates the connection between
[13:55.810 --> 14:03.910]  the airplane and the core network specifically packet data by using air-to-ground, the airplane
[14:03.910 --> 14:10.470]  connected to the base station. After that, using S1U interface, the data will reach to
[14:10.470 --> 14:17.810]  serving gateway. And the next node is packet gateway, which is connected to the internet or
[14:17.810 --> 14:31.370]  any PLMN. Okay, so in this scenario, attacker will cause data or packet manipulation,
[14:31.930 --> 14:36.730]  availability disruption, or even fraud by performing a brute force attack on
[14:36.730 --> 14:46.870]  TID or Tunneling Endpoint Identifier. Actually, TID specifies GTP or GPRS tunneling protocol
[14:46.870 --> 14:54.590]  endpoints to transmitting the data. So in this case, a packet data request sent to the core
[14:54.590 --> 15:02.670]  network from, for example, a passenger. However, during the procedures of transmitting the data
[15:02.670 --> 15:14.250]  between mobile node and SGW-PGW, an attacker brute forcing TID to exploit it. So the connection
[15:14.250 --> 15:27.490]  disrupts and the attacker can perform denial of service, fraud, etc. Hey folks, that's awesome
[15:27.490 --> 15:34.910]  because again, we are going to perform denial of service manipulation and fraud, this time by
[15:34.910 --> 15:42.930]  abusing GTP or GPRS tunneling protocol, which is playing a vital role in packet core. These are
[15:42.930 --> 15:54.010]  going to done because the attacker has passengers information. In this case, like the previous one,
[15:54.010 --> 16:03.150]  the attacker will abuse GTP delete session request to cause DOS or even impersonation, as well as
[16:03.150 --> 16:12.730]  create PDB context request. After these procedures, the attacker could take advantage from
[16:12.730 --> 16:20.470]  in-flight passengers data session to perform fraud, terminate passengers data flow, or even
[16:20.470 --> 16:33.280]  intercepting the data. Thank you, my dear friends, for your attention. You can stay in touch with me
[16:33.280 --> 16:39.700]  on Twitter and LinkedIn. And many thanks to Aerospace Village organizers and sponsors
[16:40.260 --> 16:47.420]  to deliver such great events. I will come back soon with my new research and hope to see you soon.
[16:47.420 --> 16:48.560]  Stay safe.
